tabox 1.3.0

A sandbox to execute a program in an isolated environment and measure its resource usage
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
// SPDX-License-Identifier: MPL-2.0

use std::fs;
use std::path::Path;

use anyhow::Context;
use nix::mount::{mount, MsFlags};
use nix::sys::stat::{mknod, Mode, SFlag};

use crate::configuration::{DirectoryMount, SandboxConfiguration};
use crate::Result;

/// Create the sandbox filesystem
pub fn create(config: &SandboxConfiguration, sandbox_path: &Path) -> Result<()> {
    // Create the sandbox dir and mount a tmpfs in it
    mount(
        Some("tmpfs"),
        sandbox_path,
        Some("tmpfs"),
        MsFlags::empty(),
        Some("size=256M,mode=0755"),
    )
    .context("Failed to mount tmpfs for the sandbox")?;

    // Create /dev
    let dev = sandbox_path.join("dev");
    fs::create_dir_all(&dev).context("Failed to create /dev for the sandbox")?;

    for device in &["null", "zero", "random", "urandom"] {
        mount_dev(&dev.join(device), device)
            .with_context(|| format!("Failed to mount /dev/{} in the sandbox", device))?;
    }

    // Mount /tmp and /dev/shm
    if config.mount_tmpfs {
        for path in &["tmp", "dev/shm"] {
            let target_path = sandbox_path.join(path);
            fs::create_dir_all(&target_path)
                .with_context(|| format!("Failed to create /{} in the sandbox", path))?;
            mount(
                Some("tmpfs"),
                &target_path,
                Some("tmpfs"),
                MsFlags::empty(),
                Some("size=256M"),
            )
            .with_context(|| {
                format!(
                    "Failed to mount tmpfs for /{} at {}",
                    path,
                    target_path.display()
                )
            })?;
        }
    }

    if config.mount_proc {
        let target = sandbox_path.join("proc");
        fs::create_dir_all(&target).context("Failed to create /proc in the sandbox")?;
        mount(
            Some("proc"),
            &target,
            Some("proc"),
            MsFlags::empty(),
            None::<&str>,
        )
        .with_context(|| format!("Failed to mount proc at {}", target.display()))?;
    }

    // bind mount the readable directories into the sandbox
    for dir in &config.mount_paths {
        mount_dir(dir, sandbox_path).with_context(|| {
            format!(
                "Failed to mount {} -> {}",
                dir.source.display(),
                dir.target.display()
            )
        })?;
    }

    // Remount tmpfs read only
    mount(
        None as Option<&str>,
        sandbox_path,
        None as Option<&str>,
        MsFlags::MS_REMOUNT | MsFlags::MS_RDONLY,
        None as Option<&str>,
    )
    .context("Failed to remount sandbox directory as readonly")?;
    Ok(())
}

/// Create a device
fn mount_dev(path: &Path, dev: &str) -> Result<()> {
    mknod(
        path,
        SFlag::empty(),
        Mode::S_IRUSR
            | Mode::S_IWUSR
            | Mode::S_IRGRP
            | Mode::S_IWGRP
            | Mode::S_IROTH
            | Mode::S_IWOTH,
        0,
    )
    .with_context(|| format!("Failed to mknod {}", path.display()))?;
    mount(
        Some(&Path::new("/dev").join(dev)),
        path,
        None as Option<&str>,
        MsFlags::MS_BIND,
        None as Option<&str>,
    )
    .with_context(|| format!("Failed to bind-mount /dev/{}", dev))
}

/// Mount a directory inside the sandbox
fn mount_dir(dir: &DirectoryMount, sandbox_dir: &Path) -> Result<()> {
    trace!("Mount {:?}", dir);
    assert_ne!(dir.target, Path::new("/"));

    // Join destination with the sandbox directory
    let target = sandbox_dir.join(dir.target.strip_prefix("/")?);

    fs::create_dir_all(&target)
        .with_context(|| format!("Failed to create mount target at {}", target.display()))?;

    mount(
        Some(&dir.source),
        &target,
        None as Option<&str>,
        MsFlags::MS_BIND | MsFlags::MS_REC,
        None as Option<&str>,
    )
    .with_context(|| {
        format!(
            "Failed to bind-mount {} -> {}",
            dir.source.display(),
            target.display()
        )
    })?;

    if !dir.writable {
        mount(
            None as Option<&str>,
            &target,
            None as Option<&str>,
            MsFlags::MS_REMOUNT
                | MsFlags::MS_RDONLY
                | MsFlags::MS_BIND
                | MsFlags::MS_NOSUID
                | MsFlags::MS_NODEV,
            None as Option<&str>,
        )
        .with_context(|| format!("Failed to readonly remount at {}", target.display()))?;
    }
    Ok(())
}